codeql-action/.github/workflows/rebuild.yml at main · github/codeql-action · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
name: Rebuild Action

on:
  pull_request:
    types: [labeled]
  workflow_dispatch:

defaults:
  run:
    shell: bash

jobs:
  rebuild:
    name: Rebuild Action
    runs-on: ubuntu-latest
    if: github.event.label.name == 'Rebuild' || github.event_name == 'workflow_dispatch'

    env:
      HEAD_REF: ${{ github.event.pull_request.head.ref || github.event.ref }}
      BASE_BRANCH: ${{ github.event.pull_request.base.ref || 'main' }}

    permissions:
      contents: write # needed to push rebuilt commit
      pull-requests: write # needed to comment on the PR
    steps:
      - name: Checkout
        uses: actions/checkout@v6
        with:
          fetch-depth: 0
          ref: ${{ env.HEAD_REF }}

      - name: Remove label
        if: github.event_name == 'pull_request'
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          PR_NUMBER: ${{ github.event.pull_request.number }}
        run: |
          gh pr edit --repo github/codeql-action "$PR_NUMBER" \
            --remove-label "Rebuild"

      - name: Configure git
        run: |
          git config --global user.email "41898282+github-actions[bot]@users.noreply.github.com"
          git config --global user.name "github-actions[bot]"

      - name: Merge in changes from base branch
        id: merge
        run: |
          git fetch origin "$BASE_BRANCH"

          # Allow merge conflicts in `lib`, since rebuilding should resolve them.
          git merge "origin/$BASE_BRANCH" || echo "Merge conflicts detected, continuing."
          MERGE_RESULT=$?

          if [ "$MERGE_RESULT" -ne 0 ]; then
            echo "merge-in-progress=true" >> $GITHUB_OUTPUT

            # Check for merge conflicts outside of `lib`. Disable git diff's trailing whitespace check
            # since `node_modules/@types/semver/README.md` fails it.
            if git -c core.whitespace=-trailing-space diff --check | grep --invert-match '^lib/'; then
              echo "Merge conflicts were detected outside of the lib directory. Please resolve them manually."
              git -c core.whitespace=-trailing-space diff --check | grep --invert-match '^lib/' || true
              exit 1
            fi

            echo "No merge conflicts found outside the lib directory. We should be able to resolve all of" \
              "these by rebuilding the Action."
          fi

      - name: Compile TypeScript
        run: |
          npm ci
          npm run lint -- --fix
          npm run build

      - name: Sync back version updates to generated workflows
        # Only sync back versions on Dependabot update PRs
        if: startsWith(env.HEAD_REF, 'dependabot/')
        working-directory: pr-checks
        run: |
          npm ci
          npx tsx sync_back.ts --verbose

      - name: Generate workflows
        working-directory: pr-checks
        run: ./sync.sh

      - name: "Merge in progress: Finish merge and push"
        if: steps.merge.outputs.merge-in-progress == 'true'
        run: |
          echo "Finishing merge and pushing changes."
          git add --all
          git commit --no-edit
          git push

      - name: "No merge in progress: Check for changes and push"
        if: steps.merge.outputs.merge-in-progress != 'true'
        id: push
        run: |
          if [ ! -z "$(git status --porcelain)" ]; then
            echo "Changes detected, committing and pushing."
            git add --all
            # If the merge originally had conflicts, finish the merge.
            # Otherwise, just commit the changes.
            if git rev-parse --verify MERGE_HEAD >/dev/null 2>&1; then
              echo "In progress merge detected, finishing it up."
              git merge --continue --no-edit
            else
              echo "No in-progress merge detected, committing changes."
              git commit -m "Rebuild"
            fi
            echo "Pushing changes"
            git push
            echo "changes=true" >> $GITHUB_OUTPUT
          else
            echo "No changes detected, nothing to commit."
          fi

      - name: Notify about rebuild
        if: >-
          github.event_name == 'pull_request' &&
            (
              steps.merge.outputs.merge-in-progress == 'true' ||
              steps.push.outputs.changes == 'true'
            )
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          PR_NUMBER: ${{ github.event.pull_request.number }}
        run: |
          echo "Pushed a commit to rebuild the Action." \
            "Please mark the PR as ready for review to trigger PR checks." |
            gh pr comment --body-file - --repo github/codeql-action "$PR_NUMBER"
          gh pr ready --undo --repo github/codeql-action "$PR_NUMBER"